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DETAILED ACTION 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1-6 and 9-14 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Powers (US 5,655,020), and further in view of Brown et al (US 
5,941,947). 

a. Referring to claims 1 and 9: 
i. Powers teaches: 

(1) receiving a code [i.e., receiving a first code 
comprising a plurality of characters in sequential positions identifying the 
authorized person (column 2, lines 44-45)]; 

(2) verifying a first entitlement as determined by the first 
code for accessing a first function (180) providing full transaction rights access [i.e., as 
shown in Figure 2a, step 20 is to look up, that is "to verify" pin 1, that is, 
"determined by a first code"]; 

(3) authorizing access to the first function (1 80) if the first 
entitlement is recognized [as shown in Figure 2a, step 20a found decision can 
include "authorizing access to the first function if the first code is recognized"]; 
and 

(4) if the first entitlement is not recognized, using the 
code to verify a second entitlement as determined by a second code that is different 
from the first code, to trigger at least one second function (170) providing reduced or 
altered transaction rights without revealing the fact that the code does not make it 
possible to obtain the first entitlement [i.e., receiving a second code comprising a 
plurality of characters in sequential positions obtained from an actual user; 



Application/Control Number: 09/582,797 
Art Unit: 2135 



Page 3 



comparing the characters of the second code with the characters in 
corresponding positions of the first code to determine identity between the codes 
in all but one of the character positions (column 2, lines 46-51)]; 

(5) the method being characterized in that the step of 
verifying the second entitlement comprises the operations consisting in: obtaining a new 
code from the received code by means of a second transformation (140) that is the 
inverse of a first simple transformation that enables the holder of the first code to obtain 
the second code from the first code; and testing the new code by performing again the 
step of verifying the first entitlement [i.e., receiving a first code comprising a plurality 
of characters in sequential positions identifying the authorized person; receiving 
a second code comprising a plurality of characters in sequential positions 
obtained from an actual user, the second code having more characters than the 
first code; comparing the characters of the second code with the characters of 
the first code to determine whether the second code contains a sequence of 
characters in the same order as the sequence in the first code (column 3, lines 
15-21)]; 

ii. However, Power does not explicitly mention: 

(1) providing full transaction rights access and providing 
reduced or altered transaction rights. 

iii. Whereas, Brown teaches: 

(1) the service applications running on the various 
application servers initiate user-specific queries of the access rights database to obtain 
access rights lists of specific users. With each user-specific access rights query, the 
security server that receives the query accesses the access rights database and 
generates an access rights list which fully specifies the access rights of the user. This 
access rights list is returned to the application server that generated the query, and is 
stored within an access rights cache of the application server. The service which 
initiated the query can then rapidly determine the of access rights of the user with 
respect to specific content objects (as described below) by accessing its locally-stored 
copy of the user's access rights list. Because a user may be connected simultaneously 
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to multiple application servers of the on-line services network (when, for example, the 
user opens multiple services), the access rights list of a given user may be stored 
concurrently within the respective caches of multiple application servers. Furthermore, 
In accordance another feature of the invention, the access rights list of each user 
includes pairs of tokens and corresponding access rights values. Each token in the list 
identifies a content category to which the user has at least some access rights. For 
example, a token of "5" in the list indicates that the user has access to all content 
objects which fall within content category 5. Each access rights value in the list 
specifies the access rights of the user with respect to a corresponding content category. 
The access rights values are preferably in the form of privilege level masks which 
specify one or more general privilege levels (such as "viewer," "user," "host," "sysop," 
and "supersysop"). These general privilege levels are translated into specific sets of 
access capabilities by the on-line service applications. For example, the BBS service 
may give users with sysop-level privileges the capability to delete and rename BBS 
messages (column3, lines 26-62). 

iv. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 

(1) include all or some access rights determined by the 
access rights list that generated from the access rights database (in Power) for 
controlling user access to data entities in a computer network (column 2, lines 20-21 of 
Brown). 

v. The ordinary skilled person would have been motivated to: 
(1) include all or some access rights determined by the 

access rights list that generated from the access rights database (in Power) due to the 
increasing popularity of on-line services networks, and with the increasing need for such 
networks to provide limited user access to the Internet, it has become increasingly 
important to be able to provide large numbers of users with controlled access to large 
numbers of content entities. In the network described in the above-referenced 
application, for example, it is contemplated that the number of subscribers may be in the 
millions, and that the number of content entities may be in the tens of thousands. To 
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provide flexibility, it is also desirable to be able to individualize the access rights of users 
(column 1, lines 57-67 of Brown). 

b. Referring to claims 2 and 10: 
i. Powers teaches: 

(1) characterized by the fact that said first simple 
transformation is performed by a unit shift of one character of the first code [i.e., a user 
will be instructed to deliberately alter one character in his personal identification 
number before he uses it (column 3, lines 48-50)]. 

c. Referring to claim 3: 

i. Powers teaches: 

(1) characterized by the fact that the steps consists in 
verifying the first and second entitlements make use of digitally-recorded user profile 
[i.e., as shown in Figure 1, in the memory 10 there is stored a databank having a 
plurality of files, bach file being identifiable by data derived from the credit card, 
that is "digitally-recorded user profile", and containing permitted user data 
including a personal identification number and additional user data such as the 
permitted user's address, telephone number, age, date of birth etc (column 5, 
lines 36-41)]. 

d. Referring to claims 4 and 12: 
i. Powers teaches: 

(1) characterized by the fact that the second function 
(170) consists in displaying a message selected randomly from a plurality of messages 
stating that access to the first function (180) is not possible, without specifying that the 
code is not the right code for obtaining the first entitlement [i.e., as shown in Figure 2a, 
at step 21, the length of the PIN (PIN 2) offered by the user is compared with the 
authentic PIN (PIN 1) and if the number of characters is not the same the 
transaction is rejected, wherein the displaying a message is inherently provided, 
(column 5, lines 59-62)]. 

e. Referring to claim 5: 

i. Powers teaches: 
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(1 ) characterized by the fact that the first function (1 80) is 
a bank transaction [i.e., in step 20 data is derived from a credit card offered for use 
via the magnetic stripe reader 2, that is, "a bank transaction", and is passed to 
the controller 8 to cause the PIN (PIN 1) associated with the permitted user of that 
credit card to be located (column 5, lines 51-55)]. 

f. Referring to claims 6 and 14: 
i. Powers teaches: 

(1) characterized by the fact that it further comprises a 
disabling step (200) if the step that consists in verifying whether the first entitlement has 
been tested more than a determined number of times without success [i.e., if a 
sequence of characters has been located in the second code (PIN2) 
corresponding to the first code (PIN1) the computer system theri checks at step 
228 to see whether or not that version of the personal identification number has 
already been used within a predetermined time period. If it has been used then 
the transaction is rejected (column 7, lines 5-9)]. 

g. Referring to claim 11: 

i. Powers teaches: 

(1) characterized by the fact that it is used for making a 
banking transaction secure [i.e., as one example of "banking transaction secure", 
the retailer then enters the version of the personal identification number offered 
by the customer into the computer system and awaits an authentication or invalid 
signal. Alternatively, the customer enters the number himself. If the version of 
the personal identification number which has been offered differs from the 
correct personal identification number according to a predetermined corruption 
algorithm and if that version of the personal identification number has not already 
been used within a predetermined time period the computer system will indicate 
that the user is authenticated. In other circumstances the computer system will 
produce a transaction invalid signal and this will prompt the retailer to ask further 
questions of the customer concerning personal details relating to the permitted 
user of the card (column 5, lines 15-28)]. 
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h. Referring to claim 13: 

i. This claim has limitations that is similar to those of claim 5, 
thus it is rejected with the same rationale applied against claim 5 above. 

3. Claims 7-8 and 15-16 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Powers, and further in view of Brown and Lichty (US 4, 774,500). 
a. Referring to claims 7 and 8: 

i. Powers and Brown teache the claimed subject matter except 

for: 

(1) characterized by the fact that the steps consisting in 
verifying the first and second entitlements make use of a microprocessor card (10) . 

(2) characterized by the fact that the second simple 
transformation (140) is itself a function of parameters that are accessible on the 
microprocessor card (10). 

ii. Lichty teaches: 

(1) when the microprocessor cards are issued to 
individual users, a validation procedure is executed on a validating terminal. The 
procedure generally requires the issuer to enter the correct manufacturers 1 assigned key 
number in order to confirm that the card is authorized. A PIN is then assigned to or 
selected by the cardholder and stored in the secret zone. Upon completion of the 
validation procedure, the card MPU irreversibly alters its program so that the words 
written in the secret memory zone cannot be altered. Thereafter, upon using the card, a 
user must enter the correct PIN in order to confirm that the card is being used by its 
authorized user (column 6, lines 65-68 through column 7, lines 1-9). 

(2) a useful development in account cards has been to 
incorporate a magnetic, semiconductor, or optically written memory for storing account 
information, current balances, or other user information in the card itself (column 1, 26- 
29). 

iii. It would have been obvious to a person having ordinary skill 
in the art at the time the invention was made to: 
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(1) apply such microprocessor card in Power's recited 
elements because such memory cards allow the user to access distributed terminals for 
off-line transactions, by reading and/or updating the stored information, without needing 
to have the transaction validated through a central system (column 1, lines 30-34 of 
Lichty). 

iv. The ordinary skilled person would have been motivated to: 
(1) include such microprocessor card in Power's recited 
elements since account cards having on-board memories can be made secure against 
data tampering by using a storage medium which is non-erasable, i.e. data is written 
once on the card and cannot be erased or changed (column 1, lines 39-42 of Lichty). 
b. Referring to claims 15 and 16: 

i. These claims have limitations that is similar to those of 
claims 7 and 8, thus it is rejected with the same rationale applied against claims 7 and 8 
above. 

Response to Argument 

4. Applicant's arguments with respect to claims have been considered but 
are moot in view of the new ground(s) of rejection. The applicant's argument directs 
toward to new amended independent claims 1 and 9; therefore, response to argument 
is not necessary. 

Conclusion 

5. Applicant's amendment necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See 
MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 
37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply is filed 
within TWO MONTHS of the mailing date of this final action and the advisory action is 
not mailed until after the end of the THREE-MONTH shortened statutory period, then 
the shortened statutory period will expire on the date the advisory action is mailed, and 
any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date 
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of the advisory action. In no event, however, will the statutory period for reply expire 
later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Thanhnga (Tanya) Truong whose telephone number 
is 703-305-0327. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on 703-305-4393. The fax and phone 
numbers for the organization where this application or proceeding is assigned is 703- 
872-9306. 

Any inquiry of a general nature or relating to the status of this application 
or proceeding should be directed to the receptionist whose telephone number is 703- 
305-3900. 

TC 2100 will be moved to Carlyle in October 2004, the new telephone 
number for TC 2100 receptionist is 571-272-2100. In October 2004, any inquiry 
concerning this communication should be directed to Thanhnga (Tanya) Truong whose 
new telephone number is 571-272-3858, and the examiner's supervisor, Kim Vu can be 
reached at 571-272-3859. 



TBT 

October 18, 2004 
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